5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b

General

Target

5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
Size

96KB
MD5

e7b50c2f2b86a2d531379e54feca0927
SHA1

90c9357d78ca70cfcba9dbc4eb59260669fbd2c9
SHA256

5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b
SHA512

76e37ac2853146348252a8fb63c6c1765072d3b664b7198aa55a049cf0eefc478a23d4ec5fcf49c95f5dcec7bce1cc2817202af958f1acf5e13c964b346646ab
SSDEEP

1536:ygqRorQ5n0GL/g6DneDv8/NeT9aGt4JvRGFQlAuPRKj7on7OBDr0wmuDQi65SMwc:ydoMZ/lwkI9agk5PRK3onCr/pSSfz1AV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe

Executes dropped EXE 3 IoCs

pid	Process
2848	Cfhkhd32.exe
2692	Dmbcen32.exe
2588	Dpapaj32.exe

Loads dropped DLL 9 IoCs

pid	Process
2688	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
2688	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
2848	Cfhkhd32.exe
2848	Cfhkhd32.exe
2692	Dmbcen32.exe
2692	Dmbcen32.exe
2616	WerFault.exe
2616	WerFault.exe
2616	WerFault.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	2588	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2848	2688	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe	31
PID 2688 wrote to memory of 2848	2688	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe	31
PID 2688 wrote to memory of 2848	2688	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe	31
PID 2688 wrote to memory of 2848	2688	5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe	31
PID 2848 wrote to memory of 2692	2848	Cfhkhd32.exe	32
PID 2848 wrote to memory of 2692	2848	Cfhkhd32.exe	32
PID 2848 wrote to memory of 2692	2848	Cfhkhd32.exe	32
PID 2848 wrote to memory of 2692	2848	Cfhkhd32.exe	32
PID 2692 wrote to memory of 2588	2692	Dmbcen32.exe	33
PID 2692 wrote to memory of 2588	2692	Dmbcen32.exe	33
PID 2692 wrote to memory of 2588	2692	Dmbcen32.exe	33
PID 2692 wrote to memory of 2588	2692	Dmbcen32.exe	33
PID 2588 wrote to memory of 2616	2588	Dpapaj32.exe	34
PID 2588 wrote to memory of 2616	2588	Dpapaj32.exe	34
PID 2588 wrote to memory of 2616	2588	Dpapaj32.exe	34
PID 2588 wrote to memory of 2616	2588	Dpapaj32.exe	34

C:\Users\Admin\AppData\Local\Temp\5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe
"C:\Users\Admin\AppData\Local\Temp\5c16f1aba7a14f7b96dca47d44beee2316ffd1c1ca4581b0fb11c434c1ff6b6b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Cfhkhd32.exe
  C:\Windows\system32\Cfhkhd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\Dmbcen32.exe
    C:\Windows\system32\Dmbcen32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\Dpapaj32.exe
      C:\Windows\system32\Dpapaj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 144
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
96KB

MD5
754987708c8589990f11664200e7c7dc

SHA1
f5bd356331dcc466478d17ecc7394d680aa61123

SHA256
d8bbd9e8687afb4f0f94bf5d88ecd3b57a855da212b4c16e12bac787b1d2bcac

SHA512
e10129cf6edb17a164162f92a33d540ae413510aa698a9883709517b05dac74b04ea8bf6f7f0ba1cc90654427d9c15f1b6200df10c48570e5e0223679c01a286

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
01faab03bb73eff0d99ab3168ef731fa

SHA1
9098afba0332fce4550833769bfa3816df498a61

SHA256
6ab6bfed3994c97fd9b68bb7b03d3eaef2dde55f214d7ccf3310dcbfbd101943

SHA512
58ada84759815e60922f7a0617798ec873ab52eccb466b25d61d754f784e246830f955ce6ef3412088352e7233ae055374cb726fcf254873c63c62108cce60e3

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
e5717a26def42198aaafb9d60ae88d6d

SHA1
f962bf2c7610b16cb3c78a8acd863a1f8b5035a9

SHA256
675cd59be85a517af46d63d3888a7bba2276e69e13e2f9969d9f489551131fe7

SHA512
f7e0436a77b01841d3ca6a8ae817e44b7ff8f0f5cee8f22395a615a175b5b8d83bc401902e16763b8c4e85e0a6c691d3ca958ec1985650e214098737c0e938d1

Download Submit
memory/2588-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-13-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2688-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-12-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2688-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-40-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2692-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-52-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads